Thursday, October 15, 2009

SNTT- Secure your RDP

If there is one thing an administrator needs, it's remote access.... to just about anything.

Some companies frown on this, but honestly, do you really want to wait for someone to get in a car, drive 40 miles to the office, just to enter a few commands on a Windows server at the OS level?

So the early days we had PCAnywhere which was most common, but we used a bunch of things and then VNC and finally Microsoft RDP (Remote Desktop Protocol) and now gotomypc, logmein and tons of others.

And how it makes life easier, except for one thing, and I have watched this at many companies be the case if no VPN exists or their Domino servers are on the outside of the firewall.

One can RDP to any server set up for it in Windows. But, just as much as I can connect...so could a malicious user. If one knows the name of the server, one can start a dictionary attack or today's equivalent especially if no one limits the attempted logins. Windows has various ways to lock this down, Transport Layer Security (TLS) is suggested, but if not feasible, at least set the account lockout thresholds, account lockout duration, etc.. One can also narrowly define who has such access and from what IP address and well, this can go on forever as far as options go but let's presume you are an SMB and cheap too.

One simple and free way is to change the RDP ports.
Regular RDP runs on Port 3389.
3389/TCP Microsoft Terminal Server (RDP) officially registered as Windows Based Terminal (WBT)

But you can change this number in your registry settings to any port number you wish.

Follow this Microsoft technote to change the port number which says:

Start Registry Editor.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
On the Edit menu, click Modify, and then click Decimal.
Type the new port number, and then click OK.
Quit Registry Editor.


If you need help figuring out what port to use, this Wikipedia page is a good place to start. But you should be able to use 3389-3395 and many at the higher end of the list. (I know someone will correct me if not)

Then when you go to use RDP make sure to add the port at the end of the server name. For example: lotusevangelist.com:3395 (nope, not my port #)

And you are done. Now do it for each server(either all port 3392 or each one unique. Yes, I know this can cause some problems, but if you create a logic to the numbers it can work for you.

Why should you do this, even inside your own company or if you have a VPN? Because of this and scarily this as well.

Your own people may try to hurt you, sadly, so be careful out there.